data.rtbfy.com Malwarebytes gives me pop-up box with Firefox

[iopman]

Recently I have started to get a Malwarebytes pop-up notification when I am using FIrefox 36.0 and early versions.  It says the Malwarebytes 2.xx  (latest Premium version) is blocking attempt to go to data.rtbfy.com at IP address 208.43.117.244.   When I scan with Malwarebytes it does not detect malware.  I also scan with Norton Internet Security 2014 - no detection of virus or other malware, including scan with Norton Power Eraser.  I would like help removing this malware.  I ran Farbar latest 64 bit version, logs are attached.  I am running a Dell Alienware 17 laptop with Windows 7 Ultimate.  Thanks Paul S

 

 

Addition.txt

FRST.txt

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.

Limit your internet access to posting here, some infections just wait to steal typed-in passwords.

Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.

Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.

Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.

Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.

Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.

If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

---

 

Download Malwarebytes Anti-Rootkit to your desktop.

Double-click the icon to start the tool.

It will ask you where to extract it, then it will start.

Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.

Click in the introduction screen "next" to continue.

Click in the following screen "Update" to obtain the latest malware definitions.

Once the update is complete select "Next" and click "Scan".

When the scan is finished and no malware has been found select "Exit".

If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.

Open the MBAR folder and upload the content of the following files in your next reply:

"mbar-log-{date} (xx-xx-xx).txt"

"system-log.txt"

 

---

 

Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

Right-click on icon and select Run as Administrator to start the tool.

(XP users click run after receipt of Windows Security Warning - Open File).

Make sure that Addition option is checked.

Press Scan button and wait.

The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

---

 

Please re-run Malwarebytes' Anti-Malware.

• Click the History tab.

Click Application Logs and double-click the newest Protection Log.

At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[iopman]

thanks   will work on starting in about 40 minutes   thanks for quick reply

[iopman]

Okay all the appropriate logs are attached   I ran all the three programs in the order that you suggested.

 

With respect to rootkits - these same seven items have been detected "many" times by me when I run rootkit option in Malwarebytes 2.0X   I remove them, and reboot and then they are back.  Same exact files detected with Malwarebytes Anti-Rootkit.   Both programs say that they have removed the rootkits, but they are still present whether or not i immediately reboot or immediatly re scan with either program after i have "remove" the rootkits.  I have been assuming that these are false alarms - am I correct, and if NOT correct and they are true rootkit malware then nothing seems to be removing them?  Norton Power Eraser, which supposedly also scans and removes rootkits does NOT detect any of these seven supposed rootkit files.  Nor dos a scan with Norton Internet Security 2014.   Also, as you can see even though I told Malware Anti-Rootkit to remove the supposed 7 rootkits it discovered, after rebooting Malwarebytes 2.0 found the same 7 and again attempted to remove or quarantine them

 

Paul S   as IOPMAN

Addition.txt

FRST.txt

mbar-log-2015-03-04 (13-50-14).txt

system-log.txt

Malwarebytes detection log.txt

[TwinHeadedEagle]

I am not sure this is real rootkit detection, so let's make one more check:
 
 
Scan with TDSSKiller
 
Please download TDSSKiller by Kaspersky and save it to your desktop.

• Right-click on
• icon and select Run as Administrator to start the tool.

• Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
• Your machine may appear very slow and unusable after that - it's normal.
• TDSSKiller will run automaticaly. Click on Change parameters and click OK.
• Click the Start Scan button and wait patiently.
• If anything will be found follow this guidelines:
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    If Cure is not available, please choose Skip instead.
  • Do not choose Delete unless instructed!
  A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

[iopman]

will do so - this of course is about the possible rootkits, that is a separate issue from the data.rtbfy.com issue! SMILE     will get back to you shortly  thanks

[iopman]

Some bad news.  I downloaded and ran the Kapersky program with adminstrator rights.  Caused BSOD.  Upon reboot the system ran chkdsk and found mulitiple index errors and attribute errors and other issues.  Allowed chkdsk to "fix" them.  Upon full reboot ran Kapersky program AGAIN.  Same blue screen of death.   Rebooted one more time, into safe mode this time a for a third time ran the Kapersky program (as administrator).  Surprise, BSOD again.   I have RollbackRx installed, used it to go back before the first time I ran Kapersky TDSSKiller.  Rebooted and ran chkdsk - NO errors.  Now I am back here with you.  So no progress re rootkits and no progress re data.rtbfy.com.  Any other ideas?

 

Thanks

 

Pauls S as IOPMAN

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

[iopman]

I am not at home today until late this evening    I will work on this tomorrow mid morning  Friday   thanks very much for your assistance  Paul

[iopman]

Just ran FARBAR as you directed.  Attached is the FIXLOG.TXT.  I note thatthe pop-up box message I have been getting referred to FIREFOX - and that FARBAR seemed to be fixing CHROME as far as I can tell, which was not the browser with the problem.  But of course i am not really sure what was fixed by FARBAR, so I am agian in your good hands.  What's next kind sir?

 

Paul S

Fixlog.txt

[TwinHeadedEagle]

We remove just some leftovers in Chrome, nothing else.

 

Can you try to reinstall Firefox?

[iopman]

sure   i will remove it and reinstall it  thanks

[iopman]

okay  firefox was uninstalled and reinstalled   took me some time as i had to also reinstall Roboform and synch firefox with android devices     now all up and running   let us see if i get the pop up box which is of course only intermittent   thanks for all your help   i will report back to you either way   off to airport to pick up wife   more later     Paul

[TwinHeadedEagle]

Okay, keep me updated

[iopman]

Unfortunately, problem still exists.While watching a Netfix movie using Firefox tonight about 8 05 pm EST, the same pop up from Malwarebytes Premium reared its ugly head   the browser was blocked from

 

data.rtbfy.com at IP address 208.43.117.244

 

 

any other thoughts   i know some other malwarebytes users have posted same exact problem on this forum but i cannot figure out if and how the problem was solved

[TwinHeadedEagle]

Please re-run Malwarebytes' Anti-Malware.

• Click the History tab.
• Click Application Logs and double-click the newest Protection Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[iopman]

here is the latest protection log

Malwarebytes detection log.txt

[iopman]

you can see in the log that   

 

Detection, 3/6/2015 7:34:36 AM, SYSTEM, ALIENWARE, Protection, Malicious Website Protection, IP, 208.43.117.244, data.rtbfy.com, 57170, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

 

was detected numerous times

[iopman]

i have just done some research and I think i was able to add a blocking rule in NOrton to prevent inbound and outbound communication with that IP address   but that would just be a workaround   i want to rid myself of the malware that is causing firefox to try to go to that web / ip address   any other suggestions?

[TwinHeadedEagle]

Is this happening only when Firefox is opened? Can you try to disable all Firefox extensions and then see if there are still warning popping out?

[iopman]

only when firefox is opened

i have attached a .jpg  with the plug ins that i use   nothing new  none of them are likely cuprits

[TwinHeadedEagle]

I've meant to check extensions, not plugins.

[iopman]

here are my extensions   again  known items, nothing changed recently

[TwinHeadedEagle]

Can you try to disable them all and then let me know if you still have MalwareBytes warnings.

[iopman]

ok i have disabled them all      the pop up that we have been tracking occurs intermittently, essentially randomly, so it may take time until i can determine if it is still occuring  Paul